开源 PKI 实现 XiPKI

Apache
Java
跨平台
2019-08-07
红薯

XiPKI (eXtensible sImple Public Key Infrastructure) 是一个高度可伸缩和高性能的开源 PKI 实现(CA and OCSP responder).

要求:

  • OS: Linux, Windows, MacOS
  • JRE / JDK 8 (build 162+), 9, 10, 11, 12, 13
  • Database: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB

特性:

  • CA (Certification Authority)

    • X.509 Certificate v3 (RFC 5280)
    • X.509 CRL v2 (RFC 5280)
    • EdDSA Certificates (RFC 8410, RFC 8032)
    • Diffie-Hellman Proof-of-Possession Algorithms (RFC 6955)
    • SCEP (draft-gutmann-scep-00, draft-nourse-scep-23)
    • EN 319 411 (eIDAS)
    • EN 319 412 (eIDAS)
    • Supported databases: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
    • Direct and indirect CRL
    • FullCRL and DeltaCRL
    • Customized extension to embed certificates in CRL
    • CMP (RFC 4210 and RFC 4211)
    • API to specify customized certificate profiles
    • Support of JSON-based certificate profile
    • API to specify customized publisher, e.g. for LDAP and OCSP responder
    • Support of publisher for OCSP responder
    • Public key types of certificates
      • RSA
      • EC
      • DSA
      • Ed25519, Ed448
      • X25519, X448
      • SM2
    • Signature algorithms of certificates
      • Ed25519, Ed448
      • SM3withSM2
      • SHA3-*withRSA: where * is 224, 256, 384 and 512
      • SHA3-*withRSAandMGF1: where * is 224, 256, 384 and 512
      • SHA3-*withECDSA: where * is 224, 256, 384 and 512
      • SHA3-*withDSA: where * is 224, 256, 384 and 512
      • SHA*withRSA: where * is 1, 224, 256, 384 and 512
      • SHA*withRSAandMGF1: where * is 1, 224, 256, 384 and 512
      • SHA*withECDSA: where * is 1, 224, 256, 384 and 512
      • SHA*withPlainECDSA: where * is 1, 224, 256, 384 and 512
      • SHA*withDSA: where * is 1, 224, 256, 384 and 512
  • Native support of X.509 extensions (other extensions can be supported by configuring it as blob)

    • AdditionalInformation (German national standard CommonPKI)
    • Admission (German national standard CommonPKI)
    • AuthorityInformationAccess (RFC 5280)
    • AuthorityKeyIdentifier (RFC 5280)
    • BasicConstraints (RFC 5280)
    • BiometricInfo (RFC 3739)
    • CertificatePolicies (RFC 5280)
    • CRLDistributionPoints (RFC 5280)
    • CT Precertificate SCTs (RFC 6962)
    • ExtendedKeyUsage (RFC 5280)
    • FreshestCRL (RFC 5280)
    • InhibitAnyPolicy (RFC 5280)
    • IssuerAltName (RFC 5280)
    • KeyUsage (RFC 5280)
    • NameConstraints (RFC 5280)
    • OcspNoCheck (RFC 6960)
    • PolicyConstrains (RFC 5280)
    • PolicyMappings (RFC 5280)
    • PrivateKeyUsagePeriod (RFC 5280)
    • QCStatements (RFC 3739, eIDAS standard EN 319 412)
    • Restriction (German national standard CommonPKI)
    • SMIMECapabilities (RFC 4262)
    • SubjectAltName (RFC 5280)
    • SubjectDirectoryAttributes (RFC 3739)
    • SubjectInfoAccess (RFC 5280)
    • SubjectKeyIdentifier (RFC 5280)
    • TLSFeature (RFC 7633)
    • ValidityModel (German national standard CommonPKI)
    • GM/T 0015 IdentityCode (个人身份标识码, Chinese Standard GM/T 0015-2012)
    • GM/T 0015 InsuranceNumber (个人社会保险号, Chinese Standard GM/T 0015-2012)
    • GM/T 0015 ICRegistrationNumber (企业工商注册号, Chinese Standard GM/T 0015-2012)
    • GM/T 0015 OrganizationCode (企业组织机构代码, Chinese Standard GM/T 0015-2012)
    • GM/T 0015 TaxationNumber (企业税号, Chinese Standard GM/T 0015-2012)
  • Management of multiple CAs in one software instance

  • Support of database cluster

  • Multiple software instances (all can be in active mode) for the same CA

  • Native support of management of CA via embedded OSGi commands

  • API to specify CA management, e.g. GUI

  • Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA

  • Client to enroll, revoke, unrevoke and remove certificates, to generate and download CRLs

  • All configuration of CA except those of databases is saved in database

  • OCSP Responder

    • OCSP Responder (RFC 2560 and RFC 6960)
    • Support of Common PKI 2.0
    • Management of multiple certificate status sources
    • Support of certificate status source based on the database of XiPKI CA
    • Support of certificate status source based on the OCSP database published by XiPKI CA
    • Support of certificate status source CRL and DeltaCRL
    • Support of certificate status source published by EJBCA
    • API to support proprietary certificate sources
    • Support of both unsigned and signed OCSP requests
    • Multiple software instances (all can be in active mode) for the same OCSP signer and certificate status sources.
    • Supported databases: DB2, MariaDB, MySQL, Oracle, PostgreSQL, H2, HSQLDB
    • Database tool (export and import OCSP database) simplifies the switch of databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
    • Client to send OCSP request
  • SCEP

    • Supported SCEP versions
      • draft-gutmann-scep-00
      • draft-nourse-scep-23
  • Toolkit (for both PKCS#12 and PKCS#11 tokens)

    • Generating keypairs of RSA, EC and DSA in token
    • Deleting keypairs and certificates from token
    • Updating certificates in token
    • Generating CSR (PKCS#10 request)
    • Exporting certificate from token
  • For both CA and OCSP Responder

    • Support of PKCS#12 and JKS keystore
    • Support of PKCS#11 devices, e.g. HSM
    • API to use customized key types, e.g. smartcard
    • High performance
    • Support of health check
    • Audit with syslog and slf4j
  • For CA, OCSP Responder and Toolkit

    • API to resolve password
    • Support of PBE (password based encryption) password resolver
      • All passwords can be encrypted by the master password
    • Support of OBF (as in jetty) password resolver
的码云指数为
超过 的项目
加载中

评论(0)

暂无评论

暂无资讯

暂无问答

暂无博客

返回顶部
顶部